Debian Security Advisory
DLA-3654-1 freerdp2 -- LTS security update
- Date Reported:
- 17 Nov 2023
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 1001062, Bug 1021659.
In Mitre's CVE dictionary: CVE-2021-41160, CVE-2022-24883, CVE-2022-39282, CVE-2022-39283, CVE-2022-39316, CVE-2022-39318, CVE-2022-39319, CVE-2022-39347, CVE-2022-41877.
- More information:
Debian Bug : 1001062 1021659
Multiple vulnerabilties have been found in freelrdp2, a free implementation of the Remote Desktop Protocol (RDP). The vulnerabilties potentially allows authentication bypasses on configuration errors, buffer overreads, DoS vectors, buffer overflows or accessing files outside of a shared directory.
In affected versions a malicious server might trigger out of bound writes in a connected client. Connections using GDI or SurfaceCommands to send graphics updates to the client might send `0` width/height or out of bound rectangles to trigger out of bound writes. With `0` width or heigth the memory allocation will be `0` but the missing bounds checks allow writing to the pointer at this (not allocated) region.
Prior to version 2.7.0, server side authentication against a `SAM` file might be successful for invalid credentials if the server has configured an invalid `SAM` file path. FreeRDP based clients are not affected. RDP server implementations using FreeRDP to authenticate against a `SAM` file are affected. Version 2.7.0 contains a fix for this issue. As a workaround, use custom authentication via `HashCallback` and/or ensure the `SAM` database path configured is valid and the application has file handles left.
FreeRDP based clients on unix systems using `/parallel` command line switch might read uninitialized data and send it to the server the client is currently connected to. FreeRDP based server implementations are not affected.
All FreeRDP based clients when using the `/video` command line switch might read uninitialized data, decode it as audio/video and display the result. FreeRDP based server implementations are not affected.
In affected versions there is an out of bound read in ZGFX decoder component of FreeRDP. A malicious server can trick a FreeRDP based client to read out of bound data and try to decode it likely resulting in a crash.
Affected versions of FreeRDP are missing input validation in `urbdrc` channel. A malicious server can trick a FreeRDP based client to crash with division by zero.
Affected versions of FreeRDP are missing input length validation in the `urbdrc` channel. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server.
Affected versions of FreeRDP are missing path canonicalization and base path check for `drive` channel. A malicious server can trick a FreeRDP based client to read files outside the shared directory.
Affected versions of FreeRDP are missing input length validation in `drive` channel. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server.
For Debian 10 buster, these problems have been fixed in version 2.3.0+dfsg1-2+deb10u4.
We recommend that you upgrade your freerdp2 packages.
For the detailed security status of freerdp2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/freerdp2
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS